Configuring the Confluent Server Authorizer

Important

This feature is available as a preview feature. A preview feature is a component of Confluent Platform that is being introduced to gain early feedback from developers. This feature can be used for evaluation and non-production testing purposes or to provide feedback to Confluent.

To view configuration details about role-based access control (RBAC), see:

Configuration Overview

To enable authorization using the Confluent Server Authorizer, the broker configuration (in the server.properties file) must set authorizer.class.name to io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer:

authorizer.class.name=io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer

The following configuration options are also processed by the Confluent Server Authorizer.

super.users

Semicolon-separated list of principals of super users or super groups who are allowed access to all of the resources for all actions on all hosts. If a resource has no ACLs associated with it, then only super users can access the resource. For an example of how to set this, see Configure Brokers.

  • Type: string
  • Default: “”
  • Importance: medium
allow.everyone.if.no.acl.found

Boolean flag that indicates whether or not everyone is allowed access to a resource if no ACL is found for the user principal or any of the groups to which the user belongs.

  • Type: boolean
  • Default: false
  • Importance: medium
confluent.license

Confluent issues a license key to each subscriber. The license key is a short snippet of text that you can copy and paste. Without the license key, you can use Confluent security plugins for a 30-day trial period. If you are a subscriber and don’t have a license key, please contact Confluent Support at support@confluent.io.

  • Type: string
  • Default: “”
  • Importance: high
confluent.authorizer.access.rule.providers

List of access rule providers that are enabled. Supported access rule providers are RBAC and ACL. The ACL-based provider is enabled by default.

  • Type: list
  • Default: ACL
  • Importance: medium
confluent.authorizer.init.timeout.ms

The number of milliseconds to wait for the Authorizer to start up and initialize any metadata from Kafka topics. On brokers of the cluster hosting metadata topics, inter-broker listeners will be started prior to initialization of Authorizer metadata from Kafka topics.

  • Type: int
  • Default: 600000 [0,…]
  • Importance: low